Class SeverityUtil

java.lang.Object

org.owasp.dependencycheck.utils.SeverityUtil

public final class SeverityUtil
extends Object

Utility to estimate severity level scores.

Author:

Jeremy Long

Method Summary

Modifier and Type	Method	Description
static Double	estimateCvssV2(String severity)	Estimates the CVSS V2 Score based on a given severity.
static Double	estimatedSortAdjustedCVSSv3(String severity)	Creates an estimated sort-adjusted CVSSv3 score for an unscored textual severity.
static Double	sortAdjustedCVSSv3BaseScore(Double cvssV3BaseScore)	Compute an adjusted CVSSv3 baseScore that ensures that CRITICAL CVSSv3 scores will win over HIGH CVSSv2 and CRITICAL unscored severities to allow for a best-effort sorting that enables the report to list a reliable 'highest severity' in the report.
static String	unscoredToSeveritytext(String severity)	Converts a textual severity to the text that should be used to signal it in a report.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

estimateCvssV2

public static Double estimateCvssV2(String severity)

Estimates the CVSS V2 Score based on a given severity. The implementation will default to 3.9 if no recognized "severity" level is given (critical, high, low).

Parameters:

severity - the severity text (e.g. "medium")

Returns:

a score from 0 to 10

unscoredToSeveritytext

public static String unscoredToSeveritytext(String severity)

Converts a textual severity to the text that should be used to signal it in a report.

Parameters:

severity - The textual unscored severity

Returns:

The severity when properly recognized, otherwise the severity extended with a remark that it was not recognized and assumed to represent a critical severity.

estimatedSortAdjustedCVSSv3

public static Double estimatedSortAdjustedCVSSv3(String severity)

Creates an estimated sort-adjusted CVSSv3 score for an unscored textual severity. For recognized severities below critical it returns a value at the lower bound of the CVSSv3 baseScore for that severity. For recognized critical severities it returns a score in-between the upper bound of the HIGH CVSSv2 score and the lowest sort-adjusted CVSSv3 critical score, so that unscored critical vulnerabilities are ordered in between CRITICAL scored CVSSv3 rated vulnerabilities and HIGH-scored CVSSv2 rated vulnerabilities. For unrecognized severities it returns a score in-between the top HIGH CVSSv2 score and the estimatedSortAdjustedCVSSv3 score for an unscored severity recognized as critical, so that recognized critical will win over unrecognized severities while unrecognized severities are assumed to be of a critical nature.

Parameters:

severity - The textual severity, may be null

Returns:

A float that can be used to numerically sort vulnerabilities in approximated severity (highest float represents highest severity).

See Also:

• sortAdjustedCVSSv3BaseScore(Double)

sortAdjustedCVSSv3BaseScore

public static Double sortAdjustedCVSSv3BaseScore(Double cvssV3BaseScore)

Compute an adjusted CVSSv3 baseScore that ensures that CRITICAL CVSSv3 scores will win over HIGH CVSSv2 and CRITICAL unscored severities to allow for a best-effort sorting that enables the report to list a reliable 'highest severity' in the report.

Parameters:

cvssV3BaseScore - The cvssV3 baseScore severity of a vulnerability

Returns:

The cvssV3 baseScore, adjusted if necessary in order to guarantee that CVSSv3 CRITICAL scores will rate higher than CVSSv2 HIGH, unscored critical severities and unscored unrecognized severities (which are assumed for sorting to be of a critical nature)

See Also:

• estimatedSortAdjustedCVSSv3(String)